Squid: denial of service in http digest authentication
CVE-2023-46847

7.5HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Enterprise Linux 6 Extended Lifecycle Support
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7.6 Advanced Update Support
Red Hat Enterprise Linux 7.7 Advanced Update Support
Vendor
CVE Published:
3 November 2023

Summary

Squid is affected by a vulnerability that enables remote attackers to exploit a Denial of Service condition through a buffer overflow. When configured to accept HTTP Digest Authentication, the software can be manipulated to write up to 2 MB of arbitrary data to heap memory, potentially crashing the service or consuming resources, leading to degraded performance or downtime.

Affected Version(s)

Red Hat Enterprise Linux 6 Extended Lifecycle Support 7:3.4.14-15.el6_10.1

Red Hat Enterprise Linux 6 Extended Lifecycle Support 7:3.1.23-24.el6_10.1

Red Hat Enterprise Linux 7 7:3.5.20-17.el7_9.9

References

https://access.redhat.com/errata/RHSA-2023:6266
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:6267
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:6268
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.